Manage User Identities on Confluent Cloud¶
User account types¶
Confluent Cloud provides two user account types (local and SSO) and four authentication methods (username/password, Google, GitHub, and SSO), as summarized in the following table. Click on the account type to go directly to the relevant section below.
| User account type | Authentication method | Description |
|---|---|---|
| Local | Username/password | A local user that authenticates using a username and password. |
| Local | Google (using Sign in with Google) | A local user account that authenticates using a user’s Google account. |
| Local | GitHub (using Sign in with GitHub) | A local user account that authenticates using a user’s GitHub account. |
| SSO | SSO | A user account that authenticates using single sign-on (SSO) with an organization’s identity provider (IdP). |
Note that Confluent Cloud user accounts have the following conditions and limitations:
- Each user account represents one user and allows management of their access to Confluent Cloud.
- User accounts are organization-level resources and there is a limit on the number of user accounts in an organization. An organization can have only one identity provider (IdP).
- You can sign in to a user account using the Confluent Cloud Console or Confluent CLI. User accounts may own all types of API keys.
- You can bind role-based access control (RBAC) roles to user accounts.
- Principals (user and service accounts) can be granted ACLs, RBAC role bindings, or a combination of the two. For details, see Use ACLs with RBAC on Confluent Cloud.
- You can create and manage user accounts using the Confluent Cloud Console or the Confluent CLI command confluent iam user invitation create.
- A user account can be a member of one or more organizations. When a user is a member of multiple organizations, their authentication type is the same across all organizations. For details, see Manage Multiple Organizations on Confluent Cloud.
- If your email provider supports creating multiple accounts or aliases
by adding a plus sign (
+) and a tag or word before the@sign in an email address, you can use this feature to create multiple user accounts on Confluent Cloud.
Use multi-factor authentication with user accounts¶
Multi-factor authentication (MFA), including two-factor authentication (2FA), is supported for Confluent Cloud accounts when you use single sign-on (SSO) with an MFA option, provided by your SSO identity provider.
Note
For local user accounts in Confluent Cloud, multi-factor authentication is not available.
For information on security protections used by Confluent to prevent unauthorized access to user accounts and Confluent Cloud resources, see Security Protections for Authentication on Confluent Cloud.